Domain password reset results in account locked out.

I have posted here before so this may sound familiar. I work for a small company that has several locations throughout the U.S. We currently have the following setup for our domain:
DC/Exchange1 running Exchange 2003 on Windows Server 2003 32bit.
Exchange2 running Exchange 2007 on Windows Server 2008 64bit.

We are migrating users from DC/Exchange1 to Exchange 2 in order to release Outlook 2013 company wide. We have approximately 30 users at our corporate office that are joined to the domain. We also have about 200 users throughout the other locations that have AD accounts in order to have a mailbox but are not using computers on the domain. We have created a new OU in AD for the Corporate users and computers. The DC/Exchange1 is located in the OU called Domain Controllers. The other servers on the domain are located in the OU Servers. I have moved the corporate users and computers to the new OU appropriately. Not all of these people have been migrated to the new Exchange2 server. We tried to implement a domain password policy that makes them change their password every 90 days with a 3 tries and you're locked out policy. Some of them haven't changed their password for several years and they immediately had to do so. I had them log out of their computer, change their password, and log in with the new one. They immediately got the message that their account was locked out. My partner in IT whose mailbox is currently on Exhange2 got the error. He noticed that when he checked his account on DC/Exhange1 it was NOT showing locked out. However the AD on Exchange2 was showing locked out for his account. What we would like is:

User able to change password at login prompt and forget it.
Password would sync with other Exchange server seamlessly.

None of the users in question log in to more than one computer and the ones that have had issues do NOT use mail on their cell phones.

We have turned off the policy for now until we get this straightened out. Can anyone help us with this issue as to why the servers aren't syncing?

I appreciate any help you can give me. And please understand I am not a network technician or engineer. This is my first foray into Exchange and my director is not familiar with Exchange 2007. Any help in easy to understand language is definitely appreciated.

We get a lot of lockouts whenever users reset their passwords. The cause is always related to another computer, phone, webmail session, or Citrix session which has the old password, and which didn't get the new password when the user changed it, and which is still communicating with the network with the previous password. This happens even if they have logged out of the offending computer, because the computer is still on and communicating with the network. (I have seen far too many cases of this to doubt that this is actually occurring.) This problem is greatly compounded for us as compared to other companies, because we require password resets every 35 days or less. As soon as many users change their password, they immediately get locked out; or they get locked out as soon as they arrive on site and their iPhone then can ping our wifi network, because they failed to also update their password in the iPhone wifi settings.

In your case, it sounds like Exchange1 and Exchange2 aren't talking to each other correctly, and are therefore not keeping each other updated as to password changes. I'm not knowledgeable enough on Exchange to tell you how to fix it, but I am certain that this is what is causing the locked accounts.

You must have more than one DC but your description only says you have DC1 on Exchange 1. It seems you have another DC on the Exchange 2 server, is this the case?

You first need to check that the DCs are replicating. Run "replmon" for this.
Next you need to check where the accounts are locked out. The easiest way to do this is with LockoutStatus, which will show the time and DC where the lockout occurred.
Once you know where and when the lockout occurred you can view the system and security logs on that DC to see exactly what caused the lockout.

[QUOTE=Paul T;951736]You must have more than one DC but your description only says you have DC1 on Exchange 1. It seems you have another DC on the Exchange 2 server, is this the case?

No, we have only one DC. Both Exchange servers do have Active Directory running though. I recall adding Active Directory Light to the Exchange2, but don't recall adding AD Users and Computers or the rest of AD. I have NOT promoted it to a DC.

Next you need to check where the accounts are locked out. The easiest way to do this is with LockoutStatus, which will show the time and DC where the lockout occurred.
Once you know where and when the lockout occurred you can view the system and security logs on that DC to see exactly what caused the lockout.

Is this still necessary? What you're saying makes sense with the symptoms, however we have only the one DC. We simply are moving the mailboxes from Exchange1 to Exchange2 a few at a time. The user in question only uses one computer, does not use her phone for mail and does not log remotely. Her mailbox is still on the Exchange1 but her lockout would not go away. The IT employee was locked out on Exchange2 since his mailbox is there, but not on Exchange1. As soon as he cleared on Exchange2 it locked him out on Exchange1.

Active Directory Light?!? Do you have 2 ADs running?
If you only have one DC - always a bad idea - then the only way to lock out an account is to have a session still running on another computer. To solve this you need to view the server logs to see where the bad credentials are being used.

[QUOTE=Paul T;951980]Active Directory Light?!? Do you have 2 ADs running?

The tutorial I found to install Exchange 2007 stated that Active Directory Lightweight Services was a role that had to be installed before Exchange. No, AD is NOT running on Exchange2, just verified it and even though Active Directory Domain Controller is installed it is disabled under services.

If you only have one DC - always a bad idea - then the only way to lock out an account is to have a session still running on another computer. To solve this you need to view the server logs to see where the bad credentials are being used.

I will do that when I get the chance. But I'm still at a loss as to why the 2 server are not syncing when they shouldn't even require syncing.

Active Directory Lightweight Services seems to be the problem. It's an additional AD service to separate the IDs / authentication from your normal ID repository, be it AD or other and would not normally be used for an internal Exchange environment. Your Exchange server should be using AD on the DC, then there is no sync issue. I don't know how to persuade the two to sync, nor how to remove ADLS with Exchange already running.

Active Directory Lightweight Services seems to be the problem. It's an additional AD service to separate the IDs / authentication from your normal ID repository, be it AD or other and would not normally be used for an internal Exchange environment. Your Exchange server should be using AD on the DC, then there is no sync issue. I don't know how to persuade the two to sync, nor how to remove ADLS with Exchange already running.

cheers, Paul

Why would Microsoft recommend installing a role for an Exchange server that is going to cause a problem? Installing ADLS was actually one of the steps in a Microsoft tutorial. I am thinking that the AD Domain services needs to be uninstalled, but don't know if it can be easily done with Exchange already installed and operating. Any thoughts?

AFAICT AD LDS is for situations where you either don't have AD or you want to keep credentials separate for an application, in your case Exchange. Personally I can't see where you would use this outside a hosting service.

Exchange is already running so removing AD LDS would break it. Short of starting again from scratch I can't see a fix. I suggest you ask some Exchange consultants for a quote to fix the problem - if they don't know how they won't quote (I hope).

Thank you to all who have attempted to help in this situation. We have narrowed down the culprit as being people who are on the domain that also use a laptop not on the domain to access email or who use their phone to access email. When changing the password on their computer it would lock out the exchange account with the other device until they changed the password on both of them and we unlocked the account. Also some of them were initially trying to reset their password with their phone. We quickly remedied that situation by educating the end users. We will be more careful in the future about resetting passwords.

Thank you to all who have attempted to help in this situation. We have narrowed down the culprit as being people who are on the domain that also use a laptop not on the domain to access email or who use their phone to access email. When changing the password on their computer it would lock out the exchange account with the other device until they changed the password on both of them and we unlocked the account. Also some of them were initially trying to reset their password with their phone. We quickly remedied that situation by educating the end users. We will be more careful in the future about resetting passwords.

Something I advise users to do: change their email settings on their phones to not check as often. For example, check every five minutes rather than every minute. This gives them more time to reset their password on their phone. In fact, some users set their email on their phone to be entirely manual, thereby preventing lockouts from the email on their phone; but that isn't realistic for most users.

In the case of wifi, I advise them to first "forget" our network on their iPhone, or delete it from the list of wireless networks on their Android; then reset their password on the network; then reconnect from their wireless device.

The only device which will not lock their account is a Blackberry, if they have a license for the BES (Blackberry Enterprise Server). On an older Blackberry, the password was automatically kept up to date; starting with Blackberry OS 10, they must update their password on the Blackberry; but if they don't, the only problem is that the Blackberry will quit receiving email; their network account won't be locked.